Re: [squid-users] Redirects changing POST to GET

From: Amos Jeffries <squid3@dont-contact.us>
Date: Thu, 24 Jan 2008 11:00:43 +1300 (NZDT)

> I've setup a reverse proxy running Squid 2.6.STABLE6 5.el5_1.2 on RHEL5.1.
> All remote access to the proxy is supposed to be via HTTPS, but since
> some of the protected apps give out absolute URL's at HTTP, I've also
> setup a redirector that listens on port 80 and sends a 301 redirect back
> to the client with an HTTPS version of the same URL. My rewrite script is
> pretty simple:
>
> #!/usr/bin/perl
> $|=1;
> while (<>) {
> s/^http:/301:https:/;
> print;
> }
>
> The problem I'm seeing is that whenever a CGI is called via HTTP with a
> POST method, it gets converted to GET when the new request comes in on
> HTTPS. This, of course, breaks the app. Here's a log snippet:
>
> 1200950259.294 2 192.168.2.8 TCP_MISS/301 200 POST
> http://inf.domain.org/pls/orasso/orasso.wwsso_app_admin.ls_logout - NONE/-
> -
> 1200950259.396 75 192.168.2.8 TCP_MISS/404 704 GET
> https://inf.domain.org/pls/orasso/orasso.wwsso_app_admin.ls_logout -
> FIRST_UP_PAREN
> T/172.22.66.206 text/html
>
> When I bypass the proxy, the HTTP POST method works just fine. Any ideas
> what might be causing the method to change or how to get around this?
> Every web search I try comes up empty. I'm not sure if the variables are
> getting dropped in the process, or if the app just doesn't know how to
> handle GET methods, but regardless, this is a debilitating problem for
> this app, so I really need a solution. The app in question is Oracle
> Collaboration Suite 10g, if it makes a difference. My squid.conf follows.
>

Sounds like a broken CGI to me. With redirection to 301:... squid should
be actually sending the 301 back to the client for it to re-POST back to
the new URI.

Amos

> # grep -v "^#" squid.conf | sed -e '/^$/d'
> http_port 80 vhost
> https_port 443 cert=/etc/squid/server.crt key=/etc/squid/server.pem vhost
> icp_port 0
> cache_peer 172.26.6.159 parent 443 0 no-query originserver ssl
> sslflags=DONT_VERIFY_PEER name=server1-app-peer
> cache_peer 172.22.66.208 parent 80 0 no-query originserver name=app-peer
> cache_peer 172.22.66.206 parent 80 0 no-query originserver name=inf-peer
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> cache deny QUERY
> acl apache rep_header Server ^Apache
> broken_vary_encoding allow apache
> maximum_object_size 0 KB
> access_log /var/log/squid/access.log squid
> url_rewrite_program /usr/local/bin/rewrite-http
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern . 0 20% 4320
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> acl sites_server1-app dstdomain server1b.domain.org server1-app.domain.org
> acl sites_app dstdomain app.domain.org
> acl sites_inf dstdomain inf.domain.org
> acl webserver dst 172.26.6.159 192.168.2.65 172.22.66.208 172.22.66.206
> http_access allow webserver
> miss_access allow webserver
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> http_access deny all
> http_reply_access allow all
> icp_access allow all
> cache_peer_access server1-app-peer allow sites_server1-app
> cache_peer_access app-peer allow sites_app
> cache_peer_access inf-peer allow sites_inf
> cache_mgr systems@domain.org
> coredump_dir /var/spool/squid
>
Received on Wed Jan 23 2008 - 15:00:49 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:05 MST